Add SuspiciousHttpTimeouts signature for low timeouts#590
Conversation
Implements a signature to detect suspicious low WinHTTP or WinINet timeouts, indicating potential C2 techniques.
There was a problem hiding this comment.
Code Review
This pull request introduces a new Cuckoo signature, SuspiciousHttpTimeouts, to detect malware setting unusually low WinHTTP or WinINet timeouts. The review feedback highlights critical improvements: handling potential hex strings for WinHTTP timeouts to avoid silent parsing failures, prioritizing the dereferenced pretty_value for InternetSetOption buffer values to prevent false negatives from pointer addresses, and refactoring the signature to use the standard self.data list so that matched evidence is correctly included in the final Cuckoo report.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Implements a signature to detect suspicious low WinHTTP or WinINet timeouts, indicating potential C2 techniques.
8cab1d33dade4a006061c021c00eb692dc346223369916755360ad00906df84b (Socks5Systemz)
